Deploying SL1 Appliances in Amazon Web Services

This section describes how to install SL1 on an Amazon Web Services EC2 instance, which is a virtual server that resides in the AWS cloud.

Use the following menu options to navigate the SL1 user interface:

• To view a pop-out list of menu options, click the menu icon ().
• To view a page containing all of the menu options, click the Advanced menu icon ().

For more information about monitoring Amazon Web Services in SL1, see the section on Monitoring Amazon Web Services.

AWS Instance Specifications

For details about AWS and the requirements and specifications for each SL1 appliance, see the ScienceLogic Support Site: https://support.sciencelogic.com/s/system-requirements?tabset-3429b=db66f.

Deploying an SL1 System on AWS

For ease of configuration, create nodes or appliances in this order:

1. Database Server
2. Administration Portal (if applicable)
3. Data Collectors
4. Message Collectors (if applicable)

NOTE: The following instructions describe how to configure a ScienceLogic virtual machine in AWS. If you are looking for resources and support for AWS Cloud, see the Amazon AWS Marketplace: https://aws.amazon.com/marketplace/.

What are the ScienceLogic AMIs?

An instance is a virtual server that resides in the AWS cloud. An Amazon Machine Image (AMI) is the collection of files and information that AWS uses to create an instance. A single AMI can launch multiple instances.

For details on AMIs, see http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html.

The ScienceLogic AMIs are defined by ScienceLogic. ScienceLogic has created an AMI for each type of ScienceLogic appliance. You can use a ScienceLogic AMI to create Elastic Compute Cloud (EC2) instances for each type of ScienceLogic appliance.

NOTE: Elastic Compute Cloud (EC2) instances are virtual servers that come in a variety of configurations and can be easily changed as your computing needs change. For more information on EC2, see http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/concepts.html.

The ScienceLogic AMIs are private and are for ScienceLogic customers only. After you collect specific information about your AWS account, you can send a request (and the collected information) to ScienceLogic, and ScienceLogic will share the ScienceLogic AMIs with you.

NOTE: As of 8.10.0 and later releases, ScienceLogic AMIs support Enhanced Network Adapters (ENAs).

Getting the ScienceLogic AMI

To get access to the ScienceLogic AMIs:

1. Log in to the ScienceLogic Support Site.

2. Go to the ScienceLogic Product Licensing page (Support > License & AMI Requests).

3. Under the Amazon AWS AMI Request heading, click Submit AMI Request. The Request Amazon AMI page appears.

   If you are an Amazon Web Service GovCloud user, you will need to contact ScienceLogic Support to get the ScienceLogic AMI.

4. Fill out the Request Amazon AMI form and click the Submit AMI Request button.

5. Repeat steps 2-4 for each type of SL1 appliance you want to install on AWS.

6. ScienceLogic Customer Support will send you an email confirming that they have shared the ScienceLogic AMI with your AWS account.

7. To view the ScienceLogic AMIs in your AWS account, go to the AWS Management Console page. Under the heading Compute, click EC2.

8. In the EC2 Dashboard page, go to the left navigation bar. Under the heading Images, click AMIs.

9. In the main pane, under Filters, click Owned by me and then select Private images.

10. You should see AMIs with names that begin with "EM7" and end with the current release number for SL1. You should see an AMI for each type of SL1 appliance.

11. If you do not see AMIs with names that begin with "EM7", your EC2 Dashboard might have a default region that does not match the region for the ScienceLogic AMIs. To change the current region in the EC2 dashboard, click the region pull-down in the upper right and choose another region. Do this until you find the ScienceLogic AMIs.

A region is a geographic location. AWS has data centers that include multiple regions. You can specify that an instance reside in a specific region. For more details on regions, see http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html.

Launching the New Instance

This section describes how to launch a new EC2 instance from the ScienceLogic AMI.

Before you begin, be advised of the following:

• To complete the steps listed in this section, you must have already received the ScienceLogic AMIs. If you have just completed the steps in that section, you can start at step 4 in this section.

• This section assumes that you will launch each new EC2 instance into a VPC subnet with a primary IP address that is static and private. For more information on VPCs and VPC subnets, see http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Introduction.html.

• You can use multiple AWS instances to create a distributed SL1 system. For each instance, you must specify the correct instance type, storage size, and security rules. All these parameters are described in this section.

• For details about the recommended instance type for each ScienceLogic appliance, see the System Requirements page on the ScienceLogic Support site.

To launch the new EC2 instance from the ScienceLogic AMI:

1. Go to the EC2 Dashboard.

2. In the left navigation bar, under the heading Images, click AMIs.

3. In the main pane, under Filters, click Owned by me and then select Private images.

4. From the list, select the checkbox of the ScienceLogic AMI that matches the ScienceLogic appliance you want to create, then click the Launch instance from AMI button.

5. On the Launch an instance page, complete the following fields:

   • Name and tags. Add a descriptive name and one or more tags for this instance.

     : For more information on tags, see http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html.

   • Application and OS Images (Amazon Machine Image). This field is prepopulated with your ScienceLogic AMI.

   • Instance Type. Select the instance type recommended for the AMI that meets the system requirements for the instance you are launching.

   • Key pair (login). Create a new key pair to connect to your instance. Alternatively, you can select an existing key pair, but only if have previously downloaded and saved the private key, as you cannot retrieve an existing private key a second time.

     Amazon EC2 instances use public-key cryptography for authentication. When you create a new key pair, AWS stores the public key on its servers and automatically downloads the file that contains the private key to your browser in a file that ends in ".pem". You will need this .pem file again when you configure SSH access to your AWS instances.

   • Network settings. Expand this section, click Edit, and update the fields as needed based on your environments needs. Options include:

     • VPC. For accounts enabled for virtual private clouds, select the network where the instance will reside. If you are unsure of the network, use the default, which is based on your region.

     • Subnet. For VPC-enabled accounts, select or create the subnet where the instance will reside. If you are unsure of the subnet, use the default.

     • Auto-assign Public IP. If you select Enable, AWS will assign an IPv4 address from the public pool to this instance. If you select Disable, you must assign an Elastic IP Address (EIP) to the instance.

       If you select Enable in the Auto-assign Public IP field, the IP address will change each time the instance is stopped, hibernated, or terminated. For All-In-One Appliances and for Administration Portals, you might want to use an Elastic IP address (EIP), which is a persistent IP address. See the section on Elastic IP Addresses (EIP) for details.

       For more information on Elastic IP Addresses, see http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html.

     • Auto-assign IPv6 IP. Select whether you want to Enable or Disable the ability for AWS to automatically assign an IPv6 address to this instance.

       If you select Enable in the Auto-assign IPv6 IP field, the IP address will change each time the instance is terminated, but not when it is stopped or hibernated. You cannot assign an elastic IP address for IPv6.

     • Firewall (security groups). Select an existing security group or create a new security group for your instance. You must ensure that your security group has rules that allow traffic to and from your AWS instances, as all other traffic will be ignored. If you create a new security group, add a name and description of the security group as well as inbound security group rules. Use the following tables to create security rules for each type of SL1 appliance. After completing each row, click the Add security group rule button.

   • Configure storage. Add the amount of storage you need that meets the system requirements for the instance you are launching. Using the Advanced view, increase the size of the /dev/sda1 partition as follows:

     SL1 Appliance	Type	Device	Size in GB
     Administration Portal	Instance Store	/dev/sda1	85
     Message Collector without ScienceLogic Agent	Instance Store	/dev/sda1	85
     Message Collector with ScienceLogic Agent	Instance Store	/dev/sda1	85
     Database Server	EBS	/dev/sda1	105
     All-In-One Appliance	EBSNVMe SSD	/dev/sda1	105
     Data Collector	Instance Store	/dev/sda1	85

     In addition, make the following update in this section:

     • Delete on Termination. Select Yes.

   • Advanced details. Expand this section and update the fields as needed based on your environment's needs. At a minimum, update the following fields:

     • IAM instance profile. If your organization uses IAM roles, select the appropriate role.

     • Shutdown behavior. Select Stop.

     • Termination protection. Configure this setting according to your organization's procedures.

     • Detailed CloudWatch monitoring. Select Disable.

     • EBS-optimized instance. Select Disable.

     • Tenancy. Select Shared - Run a shared hardware instance.

     • Metadata accessible. Select Enabled.

     • Metadata version. Select V1 and V2 (token optional).

     For more information about all of your options when launching a new instance, see https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-launch-parameters.html.

6. In the Summary panel, enter the number of instances you need to launch in the Number of instances field and then click Launch instance.

   It might take several minutes for your instance to launch.

7. When the instance launch has completed, click the View all instances button to see your new instance.

8. For all nodes, continue to the steps listed in Additional Configuration Steps.

Security Rules for Each Appliance Type

Configure this list according to your requirements, your AWS configuration, and your security rules.

All-In-One Appliance

Inbound

Type	Protocol	Port Range	Source	Description
SSH (edit the default SSH rule)	TCP	22	If you will always log in from a single IP address, select My IP. If you will log in to the instance from multiple IP addresses, enter those IP addresses, separated by commas, in this field.	SSH. For SSH sessions from the user workstation to the appliance. This is necessary to start the installation wizard.
HTTP	TCP	80	If you will always log in from a single IP address, select My IP. If you will log in to the instance from multiple IP addresses, enter those IP addresses, separated by commas, in this field.	HTTP from browser session on user workstation.
HTTPS	TCP	443	If you will always log in from a single IP address, select My IP. If you will log in to the instance from multiple IP addresses, enter those IP addresses, separated by commas, in this field.	HTTPS from browser session on user workstation.
Custom TCP Rule	TCP	7700	If you will always log in from a single IP address, select My IP. If you will log in to the instance from multiple IP addresses, enter those IP addresses, separated by commas, in this field.	ScienceLogic Web Configurator. Configuration Utility from browser session on user workstation. This is necessary to license the appliance.
Custom UDP Rule	UDP	162	Specify a list of IP addresses for all managed devices from which you want to receive SNMP traps.	SNMP Traps. Necessary to receive SNMP traps from managed devices.
Custom UDP Rule	UDP	514	Specify a list of IP addresses for all managed devices from which you want to receive Syslog messages.	Syslog messages. Necessary to receive syslog messages from managed devices.
SMTP	TCP	25	Specify a list of IP addresses for all managed devices from which you want to receive email messages.	Necessary to receive inbound email for tickets, events, and email round-trip monitoring.
Custom TCP Rule	TCP	123	Enter the IP address of the NTP server.	NTP. Communication between the All-In-One Appliance and configured NTP server.

Database Server

Inbound

Type	Protocol	Port Range	Source	Description
SSH (edit the default SSH rule)	TCP	22	If you will always log in from a single IP address, select My IP. If you will log in to the instance from multiple IP addresses, enter those IP addresses, separated by commas, in this field.	SSH. For ssh sessions from user workstation to the appliance. This is necessary to start the installation wizard.
SMTP	TCP	25	Specify a list of IP addresses for all managed devices from which you want to receive email messages.	Necessary to receive inbound email for tickets, events, and email round-trip monitoring.
HTTP NOTE: Required only if you are using the Administration Portal on the Database	TCP	80	If you will always log in from a single IP address, select My IP. If you will log in to the instance from multiple IP addresses, enter those IP addresses, separated by commas, in this field.	HTTP from browser session on user workstation.
Custom TCP Rule	TCP	123	Enter the IP address of the NTP server.	NTP. Communication between the Database Server and configured NTP server.
Custom UDP Rule	UDP	161	Specify an IP address for each Data Collector that you will allow to can collect SNMP information about the Database Server.	SNMP Agent. Allows SNMP information about the Database Server to be collected by SL1.
HTTPS NOTE: Required only if you are using the Administration Portal on the Database	TCP	443	If you will always log in from a single IP address, select My IP. If you will log in to the instance from multiple IP addresses, enter those IP addresses, separated by commas, in this field.	HTTPS from browser session on user workstation.
Custom TCP Rule	TCP	7700	If you will always log in from a single IP address, select My IP. If you will log in to the instance from multiple IP addresses, enter those IP addresses, separated by commas, in this field.	ScienceLogic Web Configurator. Configuration Utility from browser session on user workstation. This is necessary to license the appliance.
Custom TCP Rule	TCP	7706	Specify an IP address for each Data Collector that you will allow to collect SNMP information about the Database Server.	MySQL. Communication from Administration Portal
Custom TCP Rule	TCP	8008	If you will always log in from a single IP address, select My IP. If you will log in to the instance from multiple IP addresses, enter those IP addresses, separated by commas, in this field.	Administrative Web Interface (PHPMyAdmin) from browser session on user workstation
Custom TCP Rule	TCP	8200	If there is a firewall between the Database Server, Data Engine, and Administration Portal appliances, this port must be open to enable Enterprise Key Management Service (EKMS) cluster communication between those appliances.	EKMS Cluster Communication

Administration Portal

Inbound

Type	Protocol	Port Range	Source	Description
SSH (edit the default SSH rule)	TCP	22	If you will always log in from a single IP address, select My IP. If you will log in to the instance from multiple IP addresses, enter those IP addresses, separated by commas, in this field.	SSH. For ssh sessions from user workstation to the appliance. This is necessary to start the installation wizard.
HTTP	TCP	80	If you will always log in from a single IP address, select My IP. If you will log in to the instance from multiple IP addresses, enter those IP addresses, separated by commas, in this field.	HTTP from browser session on user workstation.
HTTPS	TCP	443	If you will always log in from a single IP address, select My IP. If you will log in to the instance from multiple IP addresses, enter those IP addresses, separated by commas, in this field.	HTTPS from browser session on user workstation.
Custom TCP Rule	TCP	123	Enter the IP address of the NTP server.	NTP. Communication between the Administration Portal and configured NTP server.
Custom TCP Rule	TCP	7700	If you will always log in from a single IP address, select My IP. If you will log in to the instance from multiple IP addresses, enter those IP addresses, separated by commas, in this field.	ScienceLogic Web Configurator. Configuration Utility from browser session on user workstation. This is necessary to license the appliance.
Custom UDP Rule	UDP	161	Specify an IP address for each Data Collector that you will allow to can collect SNMP information about the Administration Portal.	SNMP Agent. Allows SNMP information about the Administration Portal to be collected by SL1.
Custom TCP Rule	TCP	8200	If there is a firewall between the Database Server, Data Engine, and Administration Portal appliances, this port must be open to enable Enterprise Key Management Service (EKMS) cluster communication between those appliances.	EKMS Cluster Communication

Data Collector

Inbound

Type	Protocol	Port Range	Source	Description
SSH (edit the default SSH rule)	TCP	22	If you will always log in from a single IP address, select My IP. If you will log in to the instance from multiple IP addresses, enter those IP addresses, separated by commas, in this field.	SSH. For ssh sessions from user workstation to the appliance. This is necessary to start the installation wizard.
Custom TCP Rule	TCP	123	Enter the IP address of the NTP server.	NTP. Communication between the Data Collector and configured NTP server.
Custom UDP Rule	UDP	161	Specify an IP address for each Data Collector that you will allow to collect SNMP information about this Data Collector.	SNMP Agent. Allows SNMP information about the Data Collector to be collected by SL1.
Custom UDP Rule	UDP	162	Specify a list of IP addresses for all managed devices from which you want to receive SNMP traps.	SNMP Traps. Necessary to receive SNMP traps from managed devices.
Custom UDP Rule	UDP	514	Specify a list of IP addresses for all managed devices from which you want to receive Syslog messages.	Syslog messages. Necessary to receive syslog messages from managed devices.
Custom TCP Rule	TCP	7700	If you will always log in from a single IP address, select My IP. If you will log in to the instance from multiple IP addresses, enter those IP addresses, separated by commas, in this field.	ScienceLogic Web Configurator. Configuration Utility from browser session on user workstation. This is necessary to license the appliance.
Custom TCP Rule	TCP	7707	Specify the IP address of the Database Server that you want to retrieve data from the Data Collector.	Data Pull. Allows the Database Server to retrieve data from the Data Collector

Message Collector

Inbound

Type	Protocol	Port Range	Source	Description
SSH (edit the default SSH rule)	TCP	22	If you will always log in from a single IP address, select My IP. If you will log in to the instance from multiple IP addresses, enter those IP addresses, separated by commas, in this field.	SSH. For ssh sessions from user workstation to the appliance. This is necessary to start the installation wizard.
Custom TCP Rule	TCP	123	Enter the IP address of the NTP server.	NTP. Communication between the Message Collector and configured NTP server.
Custom UDP Rule	UDP	161	Specify an IP address for each Data Collector that you will allow to collect SNMP information about this Message Collector.	SNMP Agent. Allows SNMP information about the Message Collector to be collected by SL1.
Custom UDP Rule	UDP	162	Specify a list of IP addresses for all managed devices from which you want to receive SNMP traps.	SNMP Traps. Necessary to receive SNMP traps from managed devices.
Custom UDP Rule	UDP	514	Specify a list of IP addresses for all managed devices from which you want to receive Syslog messages.	Syslog messages. Necessary to receive syslog messages from managed devices.
Custom TCP Rule	TCP	7700	If you will always log in from a single IP address, select My IP. If you will log in to the instance from multiple IP addresses, enter those IP addresses, separated by commas, in this field.	ScienceLogic Web Configurator. Configuration Utility from browser session on user workstation. This is necessary to license the appliance.
Custom TCP Rule	TCP	7707	Specify the IP address of the Database Server that you want to retrieve data from the Message Collector.	Data Pull. Allows the Database Server to retrieve data from the Message Collector.

Additional Configuration Steps

After the instance is successfully launched, perform these additional steps to complete configuration:

• For instances of the Database Server or All-In-One Appliance:

• Assigning an EIP to the instance (optional step)
• Accessing the Appliance Using SSH
• Configuring the EC2 Instance
• Licensing the Appliance

• For instances of the Administration Portal:

• Assigning an EIP to the instance (optional step)
• Accessing the Appliance Using SSH
• Configuring the EC2 Instance
• Configuring the Appliance

• For instances of the Data Collector and Message Collector:

• Assigning an EIP to the instance (optional step)
• Accessing the Appliance Using SSH
• Configuring the EC2 Instance
• Configuring the Appliance
• Rebooting Data Collectors and Message Collectors

Assigning an EIP to the New Instance

This section assumes you have already received the ScienceLogic AMI and created an EC2 instance based on the ScienceLogic AMI.

AWS can assign a public-facing IP address to your new instance. However, the IP address will change each time the instance is stopped or terminated. If you will be accessing an All-In-One Appliance or an Administration Portal appliance from the internet, ScienceLogic recommends you use an Elastic IP address (EIP).

An EIP is a permanent static address that belongs to an account (not an instance) and can be reused. An EIP address is required only if you want the public IP address to remain constant. When you assign an EIP to an instance, the instance still retains its private IP address in its VPC.

If you use an AWS VPN to access the All-In-One Appliance or Administration Portal appliance, meaning that you can access the All-In-One Appliance or Administration Portal appliance only through your corporate network, you do not have to assign an EIP to the All-In-One Appliance or Administration Portal appliance.

For more information on Elastic IP, see http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html

AWS accounts are limited five Elastic IP addresses.

To assign an EIP to your new instance:

1. Go to the EC2 Dashboard.
2. In the left navigation pane, under the Network & Security heading, click Elastic IPs.
3. Click Allocate Elastic IP address.
4. On the Allocate Elastic IP address page, update the EIP settings and tags based on your needs for your SL1 instance. When you are finished, click Allocate.
5. From the EC2 Dashboard, in the left navigation pane, under the Network & Security heading, click Elastic IPs.
6. Select the EIP you allocated, then click the Actions menu and select Associate Elastic IP address.
7. In the Resource type field, select Instance, then select the SL1 appliance instance you want to associate with the EIP.
8. Click Associate. The SL1 appliance instance is now associated with the new EIP.

Accessing the Appliance Using SSH

This section assumes you have already received the ScienceLogic AMIs and created an EC2 instance based on the ScienceLogic AMI.

This section assumes that you have access to SSH on the command line.

Gathering Information Required for Accessing the Appliance Using SSH

To gather the required information:

1. Go to the EC2 Dashboard.
2. In the left navigation pane, under the Instances heading, select Instances.
3. Click in the row that contains the SL1 appliance instance.
4. The lower pane contains information about the instance. Write down the Public DNS and Public IP.
5. If you are using AWS instances to create a distributed SL1 system, perform this step for each AWS instance you want to include in the distributed system.

Configuring SSH

Before you can use SSH with the SL1 appliance instance, you must ensure that SSH can use the .pem file downloaded earlier during the configuration. For details on downloading the .pem file, see the last few steps in the section on Launching the EC2 Instance.

Connecting to Your Instance

On Unix and Linux systems, you can connect to your SL1 appliance instance using the SSH command.

NOTE: You should store the .pem file in a secure location. ScienceLogic recommends you store the .pem file in $HOME/.ssh. ScienceLogic also recommends you change the permissions on the .pem file to allow only read-only access by the owner of the .pem file.

To connect using the .pem file generated by AWS, enter the following at the shell prompt:

ssh -i ~/.ssh/my-aws-key.pem em7admin@[hostname or IP address]

where:

• ~/.ssh/my-aws-key.pem. Replace with the name and full path to your .pem file.
• hostname or IP address. Replace with the hostname or public-facing IP address of the SL1 appliance instance.

You can also configure your SSH client to automatically select the correct key file when accessing the SL1 appliance instance. For details, see the man page for ssh_config for your flavor of UNIX.

Configuring the EC2 Instance

To configure each new EC2 instance, perform the following steps:

1. Use SSH to access the EC2 instance using its public IP address, username, and the SSH key defined in the section Accessing the Appliance Using SSH:

   ssh -i <private key path> em7admin@<vm-ip-address>

2. If you are performing a fresh installation, you will be prompted by the Message of the Day to set up the MariaDB password.  

3. Use the following command to edit the /etc/silo.conf file:

   sudo visilo --no-validation

4. In the /etc/silo.conf file, update the following section or sections:

   • For the clientdbuser account:

     [LOCAL]

     dbpasswd = <NEW_PASSWORD>

     [CENTRAL]

     dbpasswd = <NEW_PASSWORD>

     The CENTRAL section does not appear for all appliance types. If it does, then the dbpasswd values should match in both sections.

   • For the ap_user account:

     [CENTRAL]

     ap_user = apuser

     ap_pass = <NEW_PASSWORD>

     The CENTRAL section does not appear for all appliance types.

5. Save the file (:wq) and enter y to move the changes to the /etc/siteconfig/siloconf.siteconfig file automatically.

6. Run the following command:

   sudo systemctl restart nextui php-fpm nginx

7. Repeat these steps on the other SL1 appliances in your stack as needed to update the passwords for those appliances as well.

Web Configuration Tool

• For instances of the Database Server or All-In-One Appliance, see the section on Licensing and Configuring a Database Server or All-In-One Appliance.
• For instances of the Administration Portal, see the section on Configuring an Administration Portal.
• For instances of the Data Collector and Message Collector, see the section on Configuring a Data Collector or Message Collector.

Rebooting Data Collectors and Message Collectors

After installing an SL1 appliance as an AWS instance, you must reboot the instance.

To reboot the AWS instance:

1. Connect to the command-line interface of the appliance as the em7admin user using SSH. See the Accessing the Appliance Using SSH section for more information.
2. Execute the following command:

sudo reboot